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identified patent application as follows: 

In the claims : 

1. A method for sending a message from a first 
computer system CI that belongs to an internal network, which is 
protected by a firewall to at least one other computer system C2 
through the firewall comprising: 



a) sending from the first computer system to the 

firewall, a request with data for a new connection 
to be opened between the first computer system Cl 
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and at least one other computer system C2 for a 
message to be sent between said computer 
systems CI, C2 , 

b) the firewall controls the data for the new 
connection via which the message is intended to be 
sent and, up on approval of the connection by the 
firewall, sending from the firewall to the first 
computer system CI, information about the 
necessary modifications to be made in a message 
that is sent via the requested connection through 
the firewall, so that the message can pass 
through, the necessary modifications including IP, 
protocol, TCP and/or port data, 

c) modifying, by the first computer system CI, the 
message to be sent in accordance with the 
information sent from the firewall, 

d) optionally, and before or after step c) , sending 
from the first computer eystem CI to the firewall 
identification data of the connection for the 
message to be sent between said computer 
systems CI, C2 so that the connection for the 
message can be identified by the firewall and the 
message can pass the firewall, 
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e) sending the message from the first computer 
system CI to the at least one other computer 
system C2 through the firewall. 

2 . The method according to claim 1 wherein the 
message to be sent between said computer systems CI, C2 is 
protected in step c) after it has been modified, whereby step d} 
is necessary and the data to be sent from the first computer 
system CI tc the firewall includes the necessary information so 
that the connection for the message can be identified by the 
firewall . 

3 . The method according to claim 2 wherein the 
protection is made using the IP Sec system. 

4 . The method according to claim 2 wherein the 
message to be sent is authenticated. 

5. The method according to claim 2 wherein the 
message to be sent is encrypted in step c) . 

6. The method according to claim 1 wherein the 
information message in point a] contains data of the new 
connection to be opened between the first computer system CI and 
at least one other computer system C2 in form of address 
identification data and possible other parameters. 
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7. The method according to claim 6 wherein the 
possible other parameters are data about the port and the 
protocol used for sending. 

8. The method according to claim 1 wherein in step b) 
the modifications include address identification data and/or the 
port and or the protocol used for sending. 

9. The method according to claim 1 wherein the 
message is using the TCP/IP protocol. 

10. The method according to claim 1 wherein the 
message is sent via internet. 



REMARKS 

Reconsideration cf the application is respectfully 
requested. The claims have been amended so that the application 
better conforms to U.S. Patent Practice. A copy of the marked-up 
amended claims is attached as Appendix A. 

An abstract on a separate page has been added as 
Appendix b . 
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The application is submitted to be in condition for 
allowance, and such action is respectfully requested. 

Respectfully submitted, 
FASTH LAW OFFICES 

Rolf Fasth 

Registration No. 35,999 
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5255 Camelot Forest Drive 
Jacksonville, FL 32258-2516 

Telephone: O04) 288-0262 
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APPENDIX A 

Marked-Dp Claims 

1 . [Method] A method for sending a message from a 
first computer system CI that belongs to an internal network, 
which is protected by a firewall to at least one other computer 
system C2 through the firewall [characterized in the following 
steps] comprising : 

a) sending from the first computer system to the 
firewall, a request with data for a new connection 
to be opened between the first computer system CI 
and at least one other computer system C2 for a 
message to be sent between said computer 
systems CI, C2, 

b) the firewall controls the data for the new 
connection via which the message is intended to be 
sent and, up on approval of the connection by the 
firewall, sending from the firewall to the first 
computer system CI, information about the 
necessary modifications to be made in a message 
that is sent via the requested connection through 
the firewall, so that the message can pass 
through, the necessary modifications including IP, 
protocol, TCP and/or port data, 
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c) modifying, by the first computer system CI, the 
message to be sent in accordance with the 
information sent from the firewall, 

d) optionally, and before or after step c) , sending 
from the first computer system CI to the firewall 
identification data of the connection for the 
message to be sent between said computer systems 
CI, C2 so that the connection for the message can 
be identified by the firewall and the message can 
pass the firewall, 

e) sending the message from the first computer system 
CI to the at least one other computer system C2 
through the firewall. 

2. [Method of claim 1, characterized in that, 3 The 
method according to claim 1 wherein the message to be sent 
between said computer systems CI, C2 is protected in step c) 
after it has been modified, whereby step d) is necessary and the 
data to be sent from the first computer system Ci to the firewall 
includes the necessary information so that the connection for the 
message can be identified by the firewall. 

3. [Method of claim 2, characterized in that] The 
method according to claim 2 wherein the protection is made using 
the IP Sec system. 
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4 . [Method of claim 2 or 3, characterized, in that] 
The method according to claim 2 wherein the message to be sent is 
authenticated . 

5. [Method of any of claims 2 - 4, characterized in 
that] The method according to claim 2 wherein the massage to be 
sent is encrypted in step c) . 

6. [Method of any of claims 1-5, characterized in 
that] The method according to claim 1 wherein the information 
message in point a) contains data of the new connection to be 
opened between the first computer system Cl and at least one 
other computer system C2 in form of address identification data 
and possible other parameters. 

7. [Method of claim 6, characterized in that] The 
method according to claim 6 wherein the possible other parameters 
are data about the port and the protocol used for sending. 

8. [Method of any claims 1-7, characterised in 
that] The meth od accord ing to claim 1 wherein in step b) the 
modifications include address identification data and/or the port 
and or the protocol used for sending. 

9. [Method of any claim 1-7, characterized in 
that, 3 The method according to claim 1 wherein the message is 
using the TCP/IP protocol , 

- 8 - 
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10. [Method of any claim 1-8, characterised in 
that,] The mesthod according to claim 1 wherein the message is 
sent via internet . 
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APPENDIX B 



ABSTRACT 

The invention is concerned with a method for sending a 
message on a computer network from a first computer system to at 
least one other computer system through a firewall . The method 
comprises the following steps: a request with data for a new 
connection between the first computer system and at least one 
other computer system is sent from the first computer system to 
the firewall for a message to be sent between said computer 
systems. Upon approval of the connection by the firewall, 
information about necessary modifications to be made in a message 
that is sent via the requested connection through the firewall is 
sent from the firewall to the first computer system. The message 
to be sent is modified in the first computer system in accordance 
with the information sent from the firewall. 
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DATA COMMUNICATION METHOD FOR SENDING A MESSAGE THROUGH A 
FIREWALL 

5 TECHNICAL FIELD 

The invention is concerned with a data communication method for sending a 
message on a computer network from a first computer system to at least one other 
computer system through a firewall. The method can be used for sending protected 
10 messages with various kinds of protection methods, computer networks and 
network protocols and is expected to be very useful for instance for sending secret 
J messages. 

>Il5 DESCRIPTION OF RELATED ART 

y A computer network is formed when two or more computers are connected to each 
fy other. Local area networks (or internal networks) may be formed of the computers 
q within a company, while wide area networks may be extended over bigger areas, 
%) such as many towns and even countries. The networks may be connected via 
cables, fibers and/or radio links. 

An example of a global network is the Internet. This worldwide network can be used 
for communication, delivering and searching for information. 



If an internal system for electronic post is installed, everyone connected to the local 
network can send messages to each other. The local network can be connected to 
another network, which can be an external network, such as Internet, and so 
electronic mail can be sent to the whole world to everyone connected to the 
30 external network. Internet is the most common network for data communication, by 
for example E-mail. 



25 
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The fact that several local networks can be connected to other networks, Internet in 
particular, sets up requirements for the security and the equipment therefor. 

There are different systems for the improving of the security. It is important that 
5 data within an internal network is protected so that only right users can change and 
read it. The users usually identify themselves with a user name and a password. 
Also other security details exist. Other security problems are network errors and 
work stops. With increasing complexity, advanced security systems become 
important. 

10 

The popularity of Internet can be seen on the fact that new network products and 
Jf services are developed all the time. These products are developed in accordance 

with new Internet standards and are applied to the protocols used in transfers on 
; ^ Internet. 

_ A firewall is a security system to protect a network against infringement from 
unauthorized users in other networks, such as Internet. A firewall can hinder 

J computers from communicating directly with other networks, such as external 
networks, and vice versa. Instead, all communication is sent through the firewall 
20 placed outside the internal network. The firewall decides if it is safe to let messages 
and files pass between the external and the internal network on the basis of the 
addresses of the message, that can be in form of data packets, and different 
parameters. The firewall thus controls the communication between the internal and 
external network and modifies the data packets of for example TCP/IP based 
25 Internet (with respect to the TCP/IP protocol, see the next page). Usually, a firewall 
translates network addresses and other data defining the communication so that 
the internal address and the internal parameters are changed to an external 
address and external parameters. This means that for instance IP addresses used 
in an internal or local network are hidden from outside users. A packet coming from 

30 an external network to an internal network is modified back by the firewall. 
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The firewall can be formed in many different ways and is usually designed 
individually from case to case in accordance with the actual needs of the network. If 
the amount of traffic through the firewall is very high, quite extensive hardware for 
the firewall computer is needed. 

5 

Another method of increasing the security is by means of protection of the 
messages to be sent by for instance tunneling in virtual networks. In virtual 
networks several local and global networks use Internet to be connected to each 
other. By tunneling, data is transferred between two networks via a third network, 
10 such as Internet. In this technique, a given kind of data packets of a given protocol 
is encapsulated in packets of another protocol. Packet mode is a transfer method 
-J that can be used in virtual connections. In this technique data is sent in small 
"packets" with an address and a sender, so that several persons can use the 
J- connection simultaneously. The other protocol is usually TCP/IP, when the 
;.i5 transfers go through Internet. The own protocols are packed in the TCP/IP 
packages that are sent via Internet. 

t The data communication between computers is carried out according to given rules 
g which are called protocols TCP/IP is one such protocol and is an abbreviation for 
"20 Transmission Control Protocol/Internet Protocol. Standards for TCP/IP are well 
documented in so called RFC (Request for comments) documents. The IP protocol 
takes care of the data packets and is responsible for that the packets find right 
addresses. The data packets are addressed by means of internet addresses and 
go from computer to computer until the right destination is reached. Communication 
25 with IP is connectionless as no fixed connection exist between communicating 
computers. The message is going forward step by step. The TCP protocol takes 
care of the transferring of messages between two computers by making a virtual 
connection between them without any physical connection. The TCP is the 
transport protocol that is responsible for the connection itself between sender and 
30 receiver. Also other standards than TCP/IP can be used in internet. 
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The packets go through the "tunnel" maintained by Internet to the receiver, where 
the packets of different protocols are separated from each other and return to the 
original form. The authorization of the receiver can be controlled in different ways. 
The authorization control can be carried out in two steps: authentication and 
5 authorization. Authentication is carried out to control the identity of the user, while 
the authorization defines what the user is authorized to do. 

The virtual networks give a high security. The secret information has an own 
channel on Internet as a result of different methods of authentication, encryption 
10 and/or encapsulation. 

3 The security of Internet is not sufficient for all types of transfers. There are however 
ways to protect e-mail and other messages sent through internet from others. 
Especially high security can be achieved by encryption. 

15 

Encryption means that messages are changed before sending so that they cannot 
be read before decryption with a special key and usually also by confirming that the 

r right person sent the message (authentication). There are a big variety of 

Z encryption methods of the above kind. 

20 

In many protection methods all connections have different parameters. The function 
wherein the real protection is made is called transformation. In the transformation 
function the packet is changed in accordance with given parameters depending on 
the actual protection used. 

25 

One problem with firewalls is the need of extensive equipment for the firewall 
computer if the traffic amount of traffic through the firewall is high. 

Another problem with firewalls is that if protection methods are used and the 
30 network is protected with a firewall, the firewall cannot identify the messages to be 
sent and will therefore not let them pass. 
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In existing methods, the protection function or the parameters for the protection are 
given to the firewall so that the firewall can identify or protect the message and the 
message can then be sent through the firewall. The drawback with such methods is 
decreased security for the local network as secret information is delivered outside 
5 the local network. 

US patent 0715668 is mentioned as such prior art. The patent is about secure 
transfer of information between firewalls over an unprotected network. Internet 
protocol security and IPSec messages are handled in the firewall without assuming 
10 that encrypted messages has access to all services by decrypting the message and 
controlling the access. Another such method is described in US patent 0586231 , 

- wherein a firewall computer is allowed to provide virtual tunnel records and secret 
keys. Further examples of documents, wherein the firewall has encryption functions 

~ are UK Patent Application GB 2 31 7 792 and WO publication 97 00 471 . 

= 15 

In the European patent application EP 0 858 201 an electronic data transfer system 
* transmits a message between the first computer system, arranged within a firewall, 

and a second computer system. Messages that are not suitable for transmission 
Z through a firewall are translated in a format that is appropriate for transmission 
20 across the firewall. 

THE OBJECT OF THE INVENTION 

25 An object of the invention is a method of sending messages that decreases the 
work to be done by the firewall computer compared with previously known methods. 

the second object of the invention is a safer method of sending protected 
messages through a firewall. 

30 
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More in detail, the second object of the invention is a method wherein protected 
messages can be sent through a firewall without delivering information about the 
parameters of the protection outside the local network to the firewall. 

5 

DESCRIPTION OF THE INVENTION 

In the method of the invention a message is sent from a first computer system that 
belongs to an internal network, which is protected by a firewall to at least one other 
io computer system through the firewall. In step a), a request with data for a new 
connection to be opened between the first computer system and at least one other 
c= computer system is sent from the first computer system to the firewall. In step b), 
y, the firewall controls the data for the new connection via which the message is 
; intended to be sent and, up on approval of the message by the firewall, information 
H 15 about the necessary modifications to be made in a message that is sent via the 
requested connection through the firewall is sent from the firewall to the first 
2 computer system so that the message can pass through. The necessary 
PJ modifications include IP, protocol, TCP and/or port data. In step c), the protected 
□ message to be sent is modified in the first computer system in accordance with the 
5y 20 information sent from the firewall. In step d), which is optional and can be carried 
out before step c) or after step c), identification data of the connection for the 
message to be sent between said computer systems is sent to the firewall so that 
the message can be identified by the firewall to be able to pass the same. In step 
e), the protected message is then sent from the first computer system to the at least 
25 one other computer system through the firewall. 

In an application of the method, the message to be sent is protected as the method 
is very suitable for sending protected messages. The message to be sent between 
said computer systems is in that case protected in step c) after it has been 
30 modified, whereby step d) is necessary and the data to be sent from the first 
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computer system to the firewall includes the necessary information so that the 
connect/on for the message can be identified by the firewall. 

The protection method can be some method known in the art. One suitable way to 
5 protect the message is to use methods defined in the standard RFC 1825 for 
TCP/IP. This standard includes sub standards for for instance authentication 
methods and encryption methods, which can be used separately or simultaneously 
in a message sent with the method of the invention. RFC 1825 is a standard 
defining the IPSec security system standard, which consists of technology 
10 principles for the method used. IPSec, in turn, has sub standards for encryption, 
such as ESP, which is an abbreviation for encapsulated security protocol and AH, 
3 which is an abbreviation for a standard in IP for authentication. The authentication 
2 method might be MD5, SHA or other method known in the art. The encryption 
- method might be some known method such as DES, Blowfish or the like. 

15 

7" In step a), the request for a new communication sent from the first computer system 
y to the firewall contains for instance data of the new connection to be opened 
r|j between the first computer system and at least one other computer system in for 
5 example in form of address identification data and such other parameters. Typical 
L io other parameters are for instance IP Data ( the sender address, the receiver 

address), the type of protocol and TCP data: the sender port and the receiver port. 

The port defines the application for sending the data with e.g. TCP/IP, such as the 

program used, the web browser etc. 

25 In step b), typical parameters that the firewall modifies so that the messages can 
pass through are the above data, for instance IP Data ( the sender address, the 
receiver address), the type of protocol and TCP data: the sender port and the 
receiver port. The modifications might comprise all data of step a) or a part of them. 
All of the data to be modified might be known by the firewall even if not exactly 

30 included in step a). 
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Messages can only go through a firewall if the firewall can identify them to be 
allowable messages. In step d), identification data for the protection used to protect 
the message to be sent between said computer systems is sent to the firewall so 
that the protected message can be identified by the firewall. The identification data 
5 is in such a form that the firewall can identify the actual connection but not the 
actual parameters that have been used to protect the message. There exist many 
allowed connections with the same IP address but different other parameters. The 
actual protected message is sent in accordance with the parameters of one of the 
allowed connections and shall be identified by the firewall as being allowed and 
10 safe to deliver. If the message is not protected, step d) might be unnecessary in 
some embodiments, but is still advantageous to carry out in other embodiments, for 
instance if much traffic is going through the firewall, step d) might speed up the 
sending. 

15 In the invention, the inventive idea is that a part of the firewall functionality has 
been given to another computer function and is carried out in the first computer 
system. If the message is protected, the firewall and the first computer system 
transfers necessary information so that the firewall would be able to pass the 
protected messages without having knowledge about the actual parameters used to 

20 protect the message to be sent. 

In the following, the invention is described by means of some preferred 
embodiments of the invention. The details of the embodiments can vary within the 
scope of the claims. 

25 

BRIEF DESCRIPTION OF DRAWINGS 

Figure 1 is a flow sheet over the different steps of the method of invention 

30 
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Figure 2 is a schematic view of the computer network within which the data 
communication of the invention is carried out 

DETAILED DESCRIPTION OF THE INVENTION 

Figure 2 is a schematic view of a computer network within which the data 
communication of the invention can be carried out. A message shall be sent from a 
first computer system C1 to a second computer system C2. 

In figure 2, the first computer system belongs to an internal network. The internal 
network is protected by a firewall, so that all messages to be sent and received 
through the firewall has to be identified and accepted by the firewall. 
The firewall controls data of the connection via which the messages are sent and if 
the connection is accepted by the firewall, the messages can pass the firewall. 
Before the messages can pass the firewall, they are modified in the firewall in 
accordance with given parameters, such as address changes and protocol 
changes. The computer system C1 has a virtual connection to computer system 
C2, which means that messages to be sent from the first computer system C1 to 
the second computer system C2 are sent via one or more other networks, such as 
external networks, for instance Internet, after having passed the firewall before 
ending up at and received by the second computer system C2. 

Figure 1 is a flowsheet over the different steps of an embodiment of the method of 
the invention. A message shall be sent on a computer network from the first 
computer system C1 to a second computer system C2 through a firewall, which is 
placed outside the internal or local network to which the first computer system C1 
belongs. The method of the invention can be used both for the purpose to decrease 
the work to be carried out by the firewall and/or for sending protected messages. If 
the message to be sent shall be protected before sending in accordance with the 
second embodiment of the invention, it can not be sent through the firewall in the 
normal way, because the firewall is not able to control address identification data of 
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protected messages or forward encrypted messages. Therefor, in accordance with 
step a) of the invention, an information message is sent from the first computer 
system C1 to the firewall containing data about a new connection between the first 
computer system C1 and a second computer system C2 system in form of for 
5 instance address identification data, and possible other parameters for the 
message to be sent between said computer systems. If the firewall accepts this 
connection, the sending proceeds so that according to step b), information about 
necessary changes to be made in the message is sent from the firewall to the first 
computer system C1 so that the message can be sent through the firewall. The 

10 message that is intended to be protected with some protection method, that can be 
an authentication method and/or encryption method and shall be sent is according 
to step c) first modified by the first computer system C1 in accordance with the 
information sent from the firewall before protection. Before the protected message 
is sent, identification data of the protection method that have been used for 

is protection of the message is according to point d) sent from the first computer 
system C1 to the firewall F so that the protected message can be identified but not 
read by the firewall to be able to be passed by the same. If the message is not 
protected, step d) is optional if the firewall used is able to identify the message. 
Step d) can also be carried out before step c). The protected message is then 

20 according to step e) sent from the first computer system C1 to the other computer 
system C2 through the firewall. 
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CLAIMS 

1 . Method for sending a message from a first computer system C1 that belongs to 
an internal network, which is protected by a firewaJI to at least one other 
computer system C2 through the firewall, characterized in the following 
steps: 

a) sending from the first computer system to the firewall, a request with data for a 
new connection to be opened between the first computer system C1 and at 
least one other computer system C2 for a message to be sent between said 
computer systems C1 , C2, 

b) the firewall controis the data for the new connection via which the message is 
intended to be sent and, up on approval of the connection by the firewall, 
sending from the firewall to the first computer system C1 , information about the 
necessary modifications to be made in a message that is sent via the requested 
connection through the firewall, so that the message can pass through, the 
necessary modifications including IP, protocol, TCP and/or port data, 

c) modifying, by the first computer system C1, the message to be sent in 
accordance with the information sent from the firewall, 

d) optionally, and before or after step c), sending from the first computer system 
C1 to the firewall identification data of the connection for the message to be 
sent between said computer systems C1, C2 so that the connection for the 
message can be identified by the firewall and the message can pass the 
firewall, 

e) sending the message from the first computer system C1 to the at least one 
other computer system C2 through the firewall. 

2. Method of claim 1, characterized in that, the message to be sent 
between said computer systems C1, C2 is protected in step c) after it has been 
modified, whereby step d) is necessary and the data to be sent from the first 
computer system C1 to the firewall includes the necessary information so that the 
connection for the message can be identified by the firewall. 
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3. Method of claim 2, characterized in that the protection is made using 
the IP Sec system. 

4. Method of claim 2 or 3, characterized in that the message to be sent is 
5 authenticated. 



5. Method of any of claims 2 - 4, characterized in that the message to be 
sent is encrypted in step c). 

10 6. Method of any of claims 1-5, characterized in that the information 
message in point a) contains data of the new connection to be opened between 
5 the first computer system C1 and at least one other computer system C2 in form 

of address identification data and possible other parameters. 

m= is 7. Method of claim 6, characterized in that the possible other parameters 
are data about the port and the protocol used for sending. 

U 8. Method of any of claims 1 - /.characterized in that in step b) the 
q modifications include address identification data and/or the port and or the 

1 u 20 protocol used for sending. 

Method of any of claim 1-7, characterized in that, the message is 
using the TCP/iP protocol. 



25 1 0. Method of any of claim 1-8, characterized in that, the message is sent 
via internet. 
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includes the necessary information so that the connection for the message can be identified by 
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